Introduction
The REvil ransomware group, also known as Sodinokibi, has recently begun using a new tactic to avoid detection and infect systems. This sophisticated ransomware strain has been active since 2019 and has successfully targeted numerous businesses and organizations globally.
In this article, I will provide an in-depth look at REvil’s latest infection tactic, why it allows the ransomware to fly under the radar, and how organizations can protect themselves from this threat.
REvil’s New Double Extortion Tactic
REvil ransomware sets itself apart with its use of a double extortion tactic. This approach involves not only encrypting a victim’s data but also exfiltrating it and threatening to publish or sell it if the ransom is not paid.
Previously, REvil would infect a system, encrypt the data, and leave a ransom note demanding payment. The criminals would threaten to leak the stolen data if the victim refused to pay up.
The new tactic being used entails infecting the system first but waiting to encrypt the data. Instead, the ransomware operators will silently exfiltrate sensitive data over time before deploying encryption. This allows them to threaten victims with data leakage unless the ransom is paid, even if the target manages to recover the encrypted data through backups.
Why This Tactic Is Effective
There are a few reasons why REvil’s new approach allows it to fly under the radar and infect systems without detection:
-
No immediate disruption from encryption – Because data is not encrypted right away, the attack may go unnoticed by the victim at first. This gives the ransomware more time to spread and exfiltrate data.
-
Difficult to trace exfiltration – The slow and quiet siphoning of data makes abnormal network traffic harder to detect. It allows REvil to cover its tracks.
-
Leverages non-encrypted backup threat – Backups are a key defense against traditional ransomware attacks. But with exfiltration, the criminals still possess the stolen data to weaponize against victims.
-
Increases pressure to pay – The combination of encrypted systems and threats of data leaks gives the attackers more leverage to coerce victims into paying. It makes refusing the ransom riskier.
Protecting Your Organization From This Threat
Defending against REvil requires a multi-layered security strategy, including:
-
Keep all software updated – Patching and upgrading programs eliminates vulnerabilities that ransomware exploits to gain access.
-
Exercise caution with email – Much malware is delivered via phishing emails. Train employees to identify and avoid suspicious messages or attachments.
-
Use anti-malware tools – Endpoint detection software can block known threats, while anti-ransomware looks for behavior indicating an attack.
-
Back up regularly – Maintain offline backups of critical data that are inaccessible to ransomware infection. Test restoration regularly.
-
Segment your network – Limiting access between systems prevents malware from spreading extensively if a single system is compromised.
-
Monitor network traffic – Tools to analyze patterns can detect unusual data exfiltration in the early stages before major damage is done.
The Future of the Ransomware Threat
With extremely profitable business models, ransomware groups like REvil show no signs of stopping anytime soon. In fact, the ease of deployment via Ransomware-as-a-Service kits means sophisticated strains like REvil will likely only become more widespread.
As defense methods advance, so too will the tactics of these attackers. Organizations must remain vigilant and take proactive steps to secure their networks, back up their data, and prepare incident response plans. Following best practices and keeping informed on the latest threats is crucial to avoid becoming the next ransomware victim.
